Subject Access Requests put a fixed deadline on how quickly you must locate personal data, verify the requester, and send a response.
For many organisations, the harder part is the workflow: IT involvement, rising costs, and insecure channels for returning the data.
Data Subject Access Requests (DSARs) allow individuals to access personal information held by organisations.
Handling these requests can be intricate. Organisations must navigate data protection regulations, such as the General Data Protection Regulation (GDPR), to meet GDPR expectations in practice.
Companies face significant challenges in this area. The Information Commissioner's Office (ICO) reported receiving over 15,000 subject access complaints in 2023.
In response, the ICO published new guidance for businesses and employers, highlighting widespread misunderstandings and the underestimation of timely responses.
Why are organisations struggling so much?
The Problem With Fulfilling DSARs
Completing a DSAR often involves multiple tasks that require the expertise or system access of IT teams.
Unfortunately, IT departments are already overwhelmed.
Adding DSARs to their workload diverts attention from critical security operations and risks delays.
Under GDPR, organisations have one month to respond to a DSAR. Failing to meet this deadline can result in fines of up to 4% of global revenue.
What The Research Shows
Privacy experts surveyed in the UK estimate that 41% put the average cost of a DSAR between £3,000 and £6,000.
Beyond compliance risks, the financial burden of managing DSARs is increasing. Surveys by privacy experts indicate that 41% estimate the average cost of a DSAR to be between £3,000 and £6,000.
As costs rise, organisations struggle to keep up - risking fines that further strain their resources.
Moreover, businesses must follow GDPR when processing DSARs, including securing the data they handle and protecting sensitive information.
To address these challenges, businesses should ask:
How can we efficiently handle DSAR tasks without overloading our teams?
How can we minimise the costs associated with DSARs?
How can we securely return DSAR data without breaching data protection laws?
Let’s explore the key ICO guidance to help answer these questions.
Authenticating Incoming Subject Access Requests
One primary concern in the DSAR process is verifying the authenticity of the requester. Confirming the identity of individuals making requests is crucial to prevent unauthorised access to personal data.
“To avoid personal data about one individual being sent to another, either accidentally or as a result of deception, you need to be satisfied that: you know the identity of the requester (or the person the request is made on behalf of); and the data you hold relates to the individual in question (e.g. when an individual has similar identifying details to another person).”
Always ask for enough information to confirm that the requester (or the person they are acting for) is the subject of the data.
Use multi-factor authentication or secondary ID verification where you need stronger assurance of identity.
Sending the Requested Data Back to the Subject
Once identity is verified, the next challenge is securely transmitting the data.
Data protection laws require confidentiality and the prevention of unauthorised disclosure.
Organisations must use secure channels when responding to DSARs.
“The security measures you need to take to send information securely as part of a subject access request (SAR) depend on the type of information you’re planning to send and what you think the risk is to the data. As a general rule, if a SAR was made to you by email, then there’s an expectation that you’ll reply by email, too, unless the person says otherwise.”
For SARs made via email - an inherently insecure channel - encryption is usually required to protect the response.
End-to-end encryption helps protect data in transit and at rest, reducing the risk of unauthorised access.
GDPR and similar rules expect secure channels when you share personal data in response to a DSAR.
Those delivery expectations shape how teams plan the final stage of a DSAR response.
Reducing Costs and Meeting Deadlines
Organisations are struggling to complete the DSAR process efficiently and cost-effectively within the required one-month window.
They need a solution that empowers teams to manage DSARs without heavy IT involvement - one that is secure, supports compliance expectations, and is cost-effective.
Need A Safer Way To Send Sensitive Email?
Mailock keeps email familiar while adding protected access, recipient checks, secure replies, message tracking, and sender controls.
Mailock, our secure email solution, provides end-to-end encryption and multi-factor authentication, enabling organisations to transmit data more safely and verify recipients' identities before access.
Used across regulated industries, Mailock helps firms reduce the operational burden of DSAR responses while supporting the controls regulators expect around identity and secure delivery.
FAQs
Why Is DSAR Fulfilment Difficult?
Teams need to identify the requester, gather the right data, redact safely, meet deadlines, and return information through a secure channel.
Why Does Requester Authentication Matter?
A DSAR response can contain sensitive personal data, so firms need confidence that they are sending it to the right person.
How Should DSAR Responses Be Sent?
Use a channel that protects access, supports secure replies, and gives the organisation evidence that the response was delivered.
Paul, CEO and Founder of Beyond Encryption, is an expert in digital identity, fintech, cybersecurity, and business. He developed Webline, a leading UK comparison engine, and now drives Mailock, Nigel, and AssureScore to help regulated businesses secure customer data.
Paul Holland
.svg)
Previous post